My daughter brought home her laptop from college full of all kinds of crap. She had let her McAfee protections lapse. This was bad enough, then little brother apparently visited some poker site(s) and unleashed Aurora / Nail. I've been hitting it with everything possible: Norton AV, Ad-Aware, AwareAlert (bye bye $29.90), Spy Sweeper, & SpyBot. I've been in the registry to the extent I dare. I even followed some advice on a spyware blog and edited the dreaded nail.exe, filling much of it with trash and corrupting it so that it can't run on Windows XP boot-up. I was reluctant to visit the @$$h0|e$ at www.revenue-direct.com responsible for this and use their uninstall utility because it itself downloads more cr@p. The pop-ups seem to have diminished, but her system is still running like a dog. ] This makes troubleshooting even more irritating.

Here is my HijackThis log file. I'm fairly computer savvy, which makes not being able to zap this all the more galling. Help would be greatly appreciated and would certainly result in a contribution to Spyware Warrior. (Maybe I can get my money back from AdwareAlert and forward it.)

I've been hammering and hammering at this. Things have improved. Maybe corrupting the Nail.exe file as I did was the ticket. It seems to have kept it from running while I cleaned up. No more windows\nail.exe. I'm still working a PowerCinema boot warning problem and some Windows update ones. (When I go to windowsupdate.microsoft.com the page is blank and nothing happens.)

Here is the latest Hijack log. Expert input would be greatly appreciated to see if I have indeed eliminated all the cr@p. Thanks.

Thanks for checking in. I thought I was okay, but came back just to check. I downloaded ewido and started the scan in safe mode. Dang! That is one long scan. Particularly the time it kept going after it reached 100%. Then I got a Security Suite error and it ended. Apparently no log file was created. I'll try again.

Yeah, the AdwareAlert may have been a waste. They were helpful though when I pointed out that they didn't zap nail.exe. Money back? Hah!

Here they are. ewido still took a long time but found some stuff. Computer seems to be running slower, particularly on start-up. I may have too many anti-whatever programs running, looking for updates. Here's the ewido log, followed by the HighjackThis log. Please advise if I'm out of the woods yet. (Although I uninstalled WeatherBug, some components linger.) Thanks!

MaccDuf

P.S. I may have suffered some collateral damage in the spyware battle, including incomplete XP updates, a PowerCinema problem (reported on each boot), no access to Dell ServiceCenter, and an inoperative Search function in Windows Explorer.

Hello, Spyware Warriors! Blender, are you there? I realize that Aurora probably has you swamped, but I'd like to know if I'm done. The computer in question has apparently suffered some collateral damage (boot errors, missing Explorer features, updates that won't take, etc.) and I'm considering reinstalling XP - which I really don't want to. System Restore may have been a casualty.

Thanks for checking back. I suspected I might still have some problems, although I attributed them to collateral damage from my attempts to fix this problem. Below are a current HijackThis log and a startuplist log; long that one. Hope I havent done anything permanent. I've been this close to reinstalling/repairing XP and starting over. I did install SP2 and a few things cleared up. Among the other curious behaviors are the following:

I get a PowerCinema from Dell bootup error every time. Four chat sessions with Dell haven't solved it. They referred me to their phone help.

After installing SP2, System Restore now works. However, I can only restore points saved after the SP2 install. In hindsight, maybe I should have tried a restore when all this began.

The Search function of Windows Explorer tells me it's missing a file. At least after I installed SP2 I now get the little dog.

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Update your Ewido
Many suggest to uninstall the background guard.
You can do that from main ewido window.
Likely require reboot.
After the 14 day trial is up...background guard is not gonna work anyway.
Manual updates/scan/clean still work tho...

You posted two responses back to back. It doesn' t look like the 2nd applies to me. Does it? Anyway, I'm going to get to work on the details of the preceding one, which does appear directed to me. In the meantime, let me answer the two questions.

1. On bootup, a dialog box pops up saying "PowerCinema Resident Program for Dell ... has encountered problems. Please tell Microsoft about this error." There is an option to send Microsoft an error report, as well as to see what it contains. Selecting either opens another dialog box either to send the message or give more info on the error. It lists the location of the text file with the error. I have the box itself captured in a screen shot as well as the text file itself.

2. No file is specified. The dialog box it titled "Error" and simply has a line saying "A file that is required to run Search Companion cannot be found. You may need to run setup." Windows Explorer seems to take longer than it should to open.

I followed your instructions. I did not have access to www.downloads.subratam.org, so I downloaded KillBox from www.bleepingcomputer.com. I copied the names of the files of interest from your message into the clipboard (copy buffer). But when I used the "Paste from Clipboard" option in KillBox nothing happened. Nothing appeared in the Full Path of File to Delete box, so pressing the red "kill" button gives an error that I haven't specified a file. I can Paste in the now-yellow File box, but only the first file name (ndbc.exe) appears.

I get it, paste one at a time. Seems weird to have a feature like "Paste from Clipboard" when you can right-click then Paste. I figured "Paste from Clipboard" was just a way to add multiple files in one operation.

Normally the "paste from clipboard" works fine...exactly what that "paste from clipboard" is for. Works nice when there are a ton of files.

Couple possible reasons it is not.

Either some of the files don't exist in list or malware is preventing copy the entire list.
Some of the malwares target killbox and try to intercept the "pending operations" which is why I have you saying NO at the pending operations prompt and then reboot manually. Kinda tricking it...

I'm leaning towards files not present...I just tried it with a short list of bugus files and got same error with the yellow box.
By doing one at a time...kb will tell you if file present or not.

I work long shifts this weekend so it may take a bit for me to get back to you...Will get back asap.

Here's what happened. I'm including minor details that may or may not be significant.

I pasted the fives files of interest individually into the KillBox window. The option presented was not "Backup and Delete file at Reboot" but rather "All listed files will be deleted." I don't think I got a "Pending Operations prompt". After each file load into KillBox, it prompted me to reboot. After the last file, I clicked "Yes" to reboot. I got a warning/error dialog box from KillBox saying "PendingFileRename Operations Registry Data has been removed by External Process!" Hope that's KillBox doing its thing and not something else thwarting it.

I then rebooted in Safe Mode and ran "remove.reg" (double-clicked) and responded affirmatively to its prompt. I then ran HijackThis, selected the files of interest, then "Fix Checked".

Interestingly, I see file of interest related to the Dell PowerCinema boot error listed in the Hijack log. It is pcmservice.exe. This file is identified upon selecting the Show More Info option on the error dialog box.

Deleted the AWS folder, cleared recyle bin and temporary internet files including offline content. Is there a something else to "emptying temp files"? There seem to be a lot of things in randomly named subfolders under a Document and Settings\...\temp folder.

Running Ewido . . . Taking a long time now that there are restore points to check. It found nothing. (Oops, where's that log file? Thought I saved it, but can't find it.) Anyway, it found nothing. Below is the HiHack log. Looks like those nasties you ID'ed are gone.

I'll continue with the actions in you recommended in your other message. I'll probably be out of touch for a week or so, but no one will be using the computer in question. When I get back, I'll let you know what happened. Please post any other info that may help.

I didn't see your latest until I had posted myself. Yes, it appears that malware may have targeted KillBox itself and interfered with the "pending operations". Hence the error message. I rebooted from KillBox and not manually; didn't know I should have done different.

Understand about working late shifts. Whatever you can do, when you do it, is appreciated.

Is there an easier way to find my posts than by scrolling through the pages? If I'm gone for a week and you post a reply sometime in the interim, that might be a lot of searching. Thanks.

Here're the results from the RKFiles activity (log.txt). I didn't run in Safe mode or have Qoologic available (as noted), but I figured it couldn't hurt especially since I won't be around for a week.

Yes, I had noted that System Defrag didn't work when I tried it a few days ago.

MaccDuff

C:\Antispyware

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

I'm back and followed up on a few of the things you noted. I uninstalled Viewpoint. Interesting, as I was about to it gave me a popup-type window. I had never seen ViewPoint before, but its gone now.

I used Disk Cleanup to clear out the temp files. However, Disk Defrag still doesn't work. It complains about C:\Windows\System32\DFRG.MSC, although this file exists.

I'm not sure what PowerCinema is supposed to do. It's probably part of the PowerDVD player. When I run pcmservice.exe, I get the same error as on bootup. There's another file in the same folder pcm2.exe that gives a similar error. Guess I need to call Dell.

Ran the two regsvr dlls you recommended. Both were successful, but Search companion still doesn't work. Same generic complaint about a file missing.

Many thanks for your help. I think the spyware itself is dead, although these other glitches may be collateral damage.

I followed your advice on Search companion. After wanting msgr3en.dll (which I vectored it to), the operation also wanted nls302en.lex. Since I can't Search I couldn't look for it, but I had my XP CD and I managed to locate it there. Despite all that, the fix didn't work.

Nor did either of the Defrag recommendations. I got success on both of first two regsvr's, but there was no change. When I tried to install dfrg.inf, nothing happened; I wasn't even prompted for any files. The error I get points to C:\Windows\System32\DFRG.MSC. It says either the file isn't there (it is), it's not an MMC console, it was created by a later version of MMC, or I don't have privilege. Running defrag.exe in the same folder gives the same error.

Any other ideas, O spyware seer?

On a brighter note, the PowerCinema boot error seems to have stopped. I finally called Dell Support about this (as directed by their chat folks). Since they considered this a SW error and I only have HW maintenance, they said it would cost $59 for a one-time support charge to troubleshoot it. I just wanted them to tell me what the thing was and what it did so I could gauge what would happen if I zapped it. He directed me to Google around and see what I could find. Big help, Dell. Not sure how or why it disappeared, but it seems gone.

I've been considering whether it would be worth it to do a reinstall/repair of XP. What might I lose if I did so? Hopefully it would fix Search, Defrag, and any other system type functions. What do you think?

I believe the power cinema bootup error is gone cus we disabled it with hijackthis....basically told it to not start at bootup.
Unless you were playing around disabling/re-enabling it and still getting errors?

I'm pretty sure the error would return if you were to restore this item in Hijackthis: (Hijackthis> misc tools> backups)

If you do a repair install of xp...you will loose all your updates. some programs may not work correctly till you re-install the updates including sp2.

I recommend you back up your IE Favorites folder & your "my documents" folder, as well as your contact list from OE if you use it.
I believe repair replaces those folders with fresh empty ones.
Your other data *should remain untouched. As a precaution....back up your important stuff (burn to cd preferrably)

I wonder....Before we do repair...

Are you able to access mmc at all?

Can you run any of these from the run box?

services.msc
eventvwr.msc
gpedit.msc

Any of those give errors?

Can you open anything in admin tools from control panel?

How about start> "help & support"....open to blank page or error?

control panel> user accounts. Blank page?

windows update is ok and System restore is ok altho you no longer can access any updates prior to sp2 install....correct?

Windows media player work ok? Error when starting it?

I'd like to see some reg info please...

copy the following text to a new notepad file
Save as file name export.bat
As file types all files
Save it to the desktop.

Glad your motto is "Never give up!" Were I you, I think I might have given up a while back.

Here are the answers:

None of the three .msc files run from the run box. The first two give the same sort of error I see for DFRG.MSC; the third is a more generic "Can't find the file." error.

Help and Support is weird. I get the right screen, but it is really whited out. I have to look at the laptop monitor at an extreme angle to see anything. But I think the things there "work".

User Accounts seems to work.

Windows Update really isn't okay. Although I've downloaded several updates recently, automatic updates always shows two updates pending that always try to autoload on bootup: GDI+ Detection Tool and Malicious SW Removal Tool - June 2005. Interesting failures given the ongoing battle eh? Going to the Windows update page results in nothing; I don't get vectored to the XP page. When I set the browser there manually, I get an error that Microsoft wants to know about. I've exchanged a couple e-mails with them about how to fix it, but all they've done is given me a few things to try (and mark the case closed). No real follow-up (not like good ol' Blender to be sure).

System Restore seems to be as you stated.

Media Player appears to work, although it asked me for some setup info when I opened it. (Not sure how often it's been used.)

Thanks for your inputs. I'll try them at first opportunity, but my daughter took her laptop with her for a day or so.

CyberLink wanted a screenshot of the PowerCinema error. Even though disabling it has solve the error without any obvious downside, I may send it to them. They still won't tell me though exactly what PowerCinema does.

I finally heard back from Microsoft on my XP Update failures. They said. "You might have a virus." Gee, really? The only other advice was to repair XP from CD. I've been resisting that, but - with Blender's advice and a detailed MS page on how - I may try it. I've reloaded OSs once or twice before; it was irritating.

Ewido has expired. Good to know it's there again if I need it.

Speaking of no protection: a guru friend of mine said he read where an XP OS operating on an open network will be polled within 15 minutes by someone trying to get in. D@mn the hackers!

Okay, I took care of the iPod entries with HijackThis. Not sure what they are/were doing, but they should be gone.

Now then, Kapersky was extremely frustrating.

First, the link takes you to a page for Kapersky to sell you an anti-virus book. So I roamed around their site until I found the download. A whopper: 12MB. I downloaded this and installed it. It then downloaded its AV definitions: another 3 MB. However, when I tried to run K-AV it kept complaining that its database was corrupted. It would download some more files, but still kept saying it was corrupted. I did this in various combinations of Safe Mode and Normal mode. I noticed when installing K-AV that it finds NAV and says to uninstall it, not merely disable it. Well, I ain't gonna do that. I uninstalled K-AV and reinstalled it; same problems. I have to think K-AV's conflicting with NAV.

Other than that, things seem as they were. I'm still considering repairing XP, but all the generic warnings about possibly losing files has me concerned. The other thing that concerns me is that I'll then have to reinstall all the XP updates. I have SP2 on CD, but since Windows Updates is one of the things that's not 100% functional right now, I'd hate to have to rely on it. (Ironic, eh? The thing that needs fixing is itself part of the solution to fixing it.) I have the detailed instructions on how to do the repair both from the XP site and in a Microsoft e-mail. So why am I still worried?

That Psof1 entry from Panda...it is in a different location in registry than the one we fixed in HJT.

The one we fixed in HJT was here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

***********

dllcache folder is a protected folder....M$ "super hides" it.
Don't try creating one cus if you are successful...you will effectively delete the folder where Windows stores it's protected file copies.
That would be bad...
Windows likely won't let you anyway but I have seen stranger things happen.

Open folder options in control panel
Under hiden files and folders UNcheck these 2 items:

Took care of what Panda found as you recommended. No problems during the operation, so I assume the baddies are gone.

Looks like still no luck with the DLLs though. I un-super-protected the DLLCACHE folder, renamed the files to .OLD, and watched new copies of .DLL appear. But after rebooting, nothing new: WinEx's Search feature gives the same error and as does Defragmenter. One point: You said "If still no go...try registering those files again, reboot". Remind me again how to register those files.

One good point: My guru buddy pointed out there's a manual Defrag that you can run from the Command Prompt. Running it now . . . Then again, he didn't want to join me for an XP Repair session. A fellow guru said he'd tried this a couple times and ended up just reinstalling it. And I got the usual generic warnings about backing things up . . .

In thinking about repairing XP, I thought I'd check out the CD-DVD burner in case I want to back things up to a CD. The application is Sonic's RecordNow. When I clicked it, I got a small dialog box with a red X circled and an OK box. In other words, it did about the least possible. So I got the CD to reinstall the two. Trying this gave another dialog box with the header "16 bit Windows Subsystem" and the message:

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate this application.

There are Close and Ignore options that do the same thing - nothing. The Sonic site doesn't offer much help, particularly since this preload doesn't have a serial number, which is needed to log on for assistance. So I don't have a CD burner to back anything up. Sure, I can just copy the files elsewhere on the hard drive but not having an install disk work is very worrisome.

Any advice? Could this be related to the PowerCinema disablement? Should I just cross my fingers, repair XP, and hope?